If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Something evil on 188.120.198.1 ...

FYI...

Something evil on 188.120.198.1 - (IP4ISP / LuckyNet, Czech Republic)
- http://blog.dynamoo.com/2014/07/some...81-ip4isp.html
21 July 2014 - "... Cushion Redirect sites closely related to this attack a few weeks ago* but this time hosted on 188.120.198.1 (IP4ISP / LuckyNet, Czech Republic). You can see the -redirect- in action in this URLquery report** and VirusTotal*** has a clear indication of badness on this IP. All the sites are -hijacked- subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer... the most effective way of securing your network is to permablock 188.120.198.1.
Recommended blocklist:188.120.198.1
e-meskiesprawy24 .com.pl
dora-explorer .co.uk
adultvideoz .net
alsancakescort .org
anadoluyakasiescort .asia"
* http://blog.dynamoo.com/2014/07/some...vh-france.html

Facebook video scam leaves unamusing Trojan
- http://net-security.org/malware_news.php?id=2814
21.07.2014 - "... video spreading on Facebook leaves a not-so-hilarious Trojan in its wake on users’ computers, according to research by Bitdefender. The malware, believed to originate from Albania, can access a large amount of data from the user’s internet browser. The scam begins with what appears to be a funny video of a Facebook friend. Once the video is clicked on, users are directed to a fake YouTube page, which then -redirects- them to a malicious Flash Player.exe for an Adobe update... Malware writers faked the number of views so the video seems to have been watched by over a million users... In an attempt to bypass security, the hackers got their hands on over 60 bit.ly API keys that helped them generate shortened URLs. The unique links are then spread on Facebook timelines. As API keys are randomly selected, blacklisting a couple does not stop the scam from spreading. Bitdefender has notified bit.ly of the issue. The malware writers used an add-on framework that allows their code to function on several browsers. With Google Chrome, the malicious YouTube video -redirects- users to a fake FlashPlayer install. The file, detected by Bitdefender as Trojan.Agent.BDYV, drops a password-protected archive on the computer and a .bat file, designed to run the executable in the archive after providing the password as a parameter. With Firefox, the page prompts for a malicious add-on install. On both browsers, the add-on tags 20 Facebook friends at a time and injects ad services into the page. The extension also fiddles with some of the social network’s functionalities so that users can't delete the malicious posts from their timeline and activity log..."
___

Bitly API key and MSNBC unvalidated redirects
- http://community.websense.com/blogs/...redirects.aspx
21 Jul 2014 - "... observed a -spam/fraud- campaign whereby a user is -redirected- from a real news site to a -fake- news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. Executive Summary: The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the -fake- news site to which the user is directed, hosted on a legitimate-looking host of hxxp ://fcxnws .com/:
> http://community.websense.com/cfs-fi...2D00_550x0.jpg
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email. Example post on Google groups:
> http://community.websense.com/cfs-fi...2D00_550x0.jpg
Example post on Yahoo groups:
> http://community.websense.com/cfs-fi...2D00_550x0.jpg
... Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL... Bitly are currently blocking the redirection page at the time of writing. Kudos to them.
>> http://community.websense.com/cfs-fi...2D00_550x0.jpg
... Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login. All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe. You can read about Bitly's API best practices here: http://dev.bitly.com/best_practices.html . URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view."

Last edited by AplusWebMaster; 2014-07-22 at 05:53.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Facebook SCAMs, Tumblr SPAM apps...

FYI...

Facebook SCAM - 'Actual Footage Missile MH-17'
- http://www.hoax-slayer.com/footage-m...vey-scam.shtml
July 22, 2014 - "Facebook message claims that users can see actual footage of the missile fired at downed Malaysian Airlines flight MH17 by pro-Russian militants. The promised video does not exist. The message is a -scam- designed to trick people into spamming their friends with the same fake material and participating in -bogus- online surveys. If this message comes your way, do not click any links that it contains.
> http://www.hoax-slayer.com/images/fo...vey-scam-1.jpg
This message, which is being distributed on Facebook, promises users actual footage showing the missile that destroyed Malaysian Airlines flight MH17. The message invites users to click a link to view the footage... The supposed video is just a trick to get you to click the link in the message. In fact, the message is a typical 'shocking video' survey scam. If you click the link in the message, you will be taken to a fake Facebook Page that supposedly hosts the video. The fake page comes complete with equally fake user comments... scammers quickly exploit every high-profile disaster and the MH17 tragedy is no exception. In coming days and weeks, be wary of any message that asks you to click a link to access video or breaking news pertaining to MH17..."
___

Spammy Tumblr Apps and Stalker Hunting
- http://blog.malwarebytes.org/fraud-s...alker-hunting/
July 22, 2014 - "... the latest one currently bouncing around the popular social network. You’ll notice it apes the template of the site in the linked blog [1] – same spam posts, same spam application name – although the website for this one looks fairly slick. It’s possible this one is closely related to the February spamrun, as the same Bit.ly user account created shortening URLs for both. Here’s the spam popping up on various blogs:
> http://cdn.blog.malwarebytes.org/wp-...tumbstalk1.jpg
Below is the site it leads to, located at reviewsloft(dot)com/a/?3
> http://cdn.blog.malwarebytes.org/wp-...tumbstalk2.jpg
... Once the install is done, they’ll show the inevitable surveys to the end-user to make some money. As before, a bit.ly link is used... With this current spamrun we can see that we’re hitting about 19,000 in 12 days, with around 2,000 clicks listed as coming from Tumblr and the rest classed as “unknown”. Not a huge amount of information to go on, then, but a good reminder that people continue to fall for this type of scam which has been around for the longest time. As a final note, the -rogue- application will continue to post to your Tumblr until you go into your user settings and remove the app... follow the instructions listed on the Tumblr account security page*. At that point, the spam posts can stop..."
* https://www.tumblr.com/docs/en/account_security

Fake Credit Applicaiton – PDF malware
- http://myonlinesecurity.co.uk/fw-cre...e-pdf-malware/
22 July 2014 - "Fw: Credit Application is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads: ... Please see credit application for West Star Environmental.
The job we have for them is for $ 46,214.00
Thank you,
From: Jimmy Robertson
Sent: Tue, 22 Jul 2014 11:57:13 +0100
Subject: Credit Applicaiton
Good Afternoon,
Here is our credit application. If you should require further information please feel free to contact me.
Jimmy Robertson
West Star Environmental, Inc.
4770 W. Jennifer
Fresno, CA 93722 ...

22 July 2014: SWF_CREDIT_APPLICATION.pdf.zip (10kb) Extracts to SWF_CREDIT_APPLICATION.pdf.scr... Current Virus total detections: 5/53*
This Fw: Credit Applicaiton is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1406038205/
___

Over 30 financial institutions defrauded by phone apps used to intercept passwords
- http://www.reuters.com/article/2014/...0PX02T20140722
Jul 22, 2014 - "More than 30 financial institutions in six countries have been defrauded by sophisticated criminal software that convinces bank customers to install -rogue- smartphone programs... Though many of the elements of the malicious software, including the interception of one-time passwords sent to phones, have been used elsewhere, the latest criminal campaign is unusual in that it combines many different techniques and leaves few traces... Banks in Austria, Sweden, Switzerland and Japan have all been hit, with damages somewhere in the millions of dollars... The least sophisticated part of the gang's work so far appears to be in the delivery of the software, according to a report by Trend Micro researchers*. Emails that appear to be from major retailers come with attachments that, when opened, prompt the user to download a malicious attachment of an unusual type, called a control panel item. If users do not click again, they are safe. If they do, the software goes to work and hides itself out of view of most antivirus protection. When an infected user later tries to visit the website of one of the targeted banks, the software redirects them to a -fake- site, which asks for login details and then prompts the user to download a smartphone app. That app later intercepts the one-time passwords, giving the gang both that data as well as the login information, enough to clean out an account..."
* http://blog.trendmicro.com/trendlabs...tion-emmental/
___

Scams exploit MH17 Disaster
- http://www.hoax-slayer.com/m17-scams.shtml
July 21, 2014 - "... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... callous criminals waste no time in exploiting disasters such as air-crashes, terrorist attacks, storms, or tsunamis. The MH17 missile attack tragedy is no exception. In coming days and weeks, Internet users should be wary of scam attacks that attempt to trick people into following links or opening attachments in messages that are supposedly related to MH17... after clicking such a link, you are told that, before you proceed, you must share the post, participate in a survey, install an app or browser extension, or download a video player update or other software, close the page immediately..."

Facebook SCAM - Mercedes Benz CLA 45' Giveaway
- http://www.hoax-slayer.com/mercedes-...ing-scam.shtml
July 21, 2014 - "Facebook Page claims that users can win a 'Mercedes Benz CLA 45 just by liking the page, liking and sharing a promotional post... The Page is -bogus- and the competitions that it promotes are not legitimate. There are no winners and no cars are being given away. This is a like-farming scam designed to fraudulently increase the number of likes garnered by the Page. Facebook Pages with high like-numbers can later be used to perpetrate further scams to a large audience. Alternatively, the Pages may be sold on the black market to other scammers...
> http://www.hoax-slayer.com/images/me...ing-scam-1.jpg
According to a 'Competitions' Facebook Page that is currently being promoted across the network, you could win one of 6 Mercedes Benz CLA 45's just by liking the Page, liking and sharing a Page post... The scammers may also use the bogus Pages to perpetrate advance fee scams... the like-heavy Pages can be sold via a lucrative black market to other scammers who will repurpose it to further their own goals..."

Last edited by AplusWebMaster; 2014-07-23 at 13:57.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake Facebook mails, Fake BBB email ...

FYI...

Fake Facebook mails lead to Pharma Spam
- http://blog.malwarebytes.org/fraud-s...o-pharma-spam/
July 23, 2014 - "... it may look as though something has gone wrong with your Facebook account, but it’s just a ruse to convince you to -click- the provided link. The message reads: “[Name], your messages will be deleted soon responsibly
You haven’t been to Facebook for a few days, and a lot happened while you were away.
Your messages will be deleted soon.”

Clicking either the View Messages or Go to Facebook button will result in the clicker hitting a php page on a .com(dot)au URL, before being redirected to a Canadian Pharmarcy page:
> http://cdn.blog.malwarebytes.org/wp-...7/fbpharma.jpg
... we do not recommend purchasing random pills from websites you’ve discovered via -fake- Facebook spam mails. No matter how urgent-sounding or laced with impending doom a mail sounds, always consider that the sender simply wants you to click through with as much speed and as little thought as possible..."
___

Fake BBB complaint email – malware
- http://myonlinesecurity.co.uk/better...laint-malware/
23 July 2014 - "Better Business Bureau complaint is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This version is slightly different to the usual BBB complaints emails because there is -no- attachment and they want you to click the link to download the gameover -zeus- malware binary directly: July 23, 2014
Case# 5942415: Joe Russell
Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
http ://newyork.app.bbb .org/complaint/view/5942415/b/194439957f
< http ://castlestrategies .net/css/new_7g1.exe>
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as “Administratively Judged Resolved” and our records will be updated...

Live SSH Brute Force Logs and New Kippo Client
- https://isc.sans.edu/diary.html?storyid=18433
2014-07-23 - "... a new feature we have been working on for a while, that will display live statistics on passwords used by SSH brute forcing bots. In addition, we also updated our script that will allow you to contribute data to this effort. Right now, we are supporting the kippo honeypot to collect data. This script will submit usernames, passwords and the IP address of the attacker to our system... For data we are collecting so far, see:
- https://isc.sans.edu/ssh.html
... some of the passwords these scripts try out are not necessarily trivial, but they may be common enough to be worth while brute forcing targets."
___

I only have two samples of this, the originating IP addresses are:
1.34.211.10 (HINET, Taiwan)
117.212.18.140 (BSNL, India)
Poor Mr Fulford thinks that his email has been hacked.. it hasn't...
> https://3.bp.blogspot.com/-CS2tc0xdd...00/fulford.png
Attached is an archive file 1.zip which contains a malicious executable original_letter_234389_193.scr.exe... The Malwr report* shows that this part reaches out to the following IPs:37.139.47.103
37.139.47.117
Both of these belong to Comfortel Ltd in Russia. From there another file 2.exe is download which has a VT detection rate of just 3/53**. The Malwr report is inconclusive.
I'm not familiar with the Russian host, but having two bad IPs in close proximity makes me think that you probably want to block at least 37.139.47.0/24 or the whole 37.139.40.0/21 (almost all sites are in the /24 anyway). This netblock contains a mix of what look like legitimate Russian-language sites and obvious phishing sites."
* https://malwr.com/analysis/NGI0MWVmM...ZjNTA0YzBiNzI/

Fake invoice 4904541 July SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
23 July 2014 - "invoice 4904541 July is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... A very plain simple email that just says: This email contains an invoice file attachment

23 July 2014: invoice_4904541.zip (46 kb): Extracts to invoice_32990192.exe
Current Virus total detections: 3/53* ...This invoice 4904541 July is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustotal.com/en-gb/fil...is/1406127329/
___

Some WSJ systems taken offline after cyber attack
- http://www.reuters.com/article/2014/...0FS03N20140723
2014.07.23 - "Computer systems containing the Wall Street Journal's news graphics were -hacked- by outside parties, according to the paper's publisher Dow Jones & Co. The systems have been taken offline to prevent the spread of attacks, but Journal officials have not found any damage to the graphics, the newspaper said citing people at the Wall Street Journal familiar with the matter. A hacker who goes by the Twitter handle of 'w0rm' allegedly posted tweets and screenshots claiming to have hacked the Journal's website and offered to sell user information and credentials needed to control the server..."

Last edited by AplusWebMaster; 2014-07-24 at 11:18.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Fake Remittance, Fake Voicemail SPAM ...

FYI...

Fake Remittance Advisory SPAM – malware
- http://myonlinesecurity.co.uk/remitt...email-malware/
24 july 2014 - "Remittance Advisory Email is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email... This email doesn’t have an attachment but has a link in the body for you to click on & download the malware:Thursday 24 July 2014
This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc.
Please review the details of the payment here.
<http ://dentairemalin .com/images/report934875438jdfg8i45jg_07242014.exe>
Lloyds Banking Group plc...

As you might expect, the attachment VoiceMail.zip does not contain a voice mail at all, but it is a malicious executable VoiceMail.scr which has a a VirusTotal detection rate of 3/53*. The CAMAS report** and Anubis report*** shows the malware downloading an encrypted file from the followng locations:egozentrica .com/wp-content/uploads/2014/07/tor2800_2.7zreneerlaw .com/wp-content/uploads/2014/07/tor2800_2.7z
Blocking those sites may give some protection against this malware."
* https://www.virustotal.com/en-gb/fil...is/1406214495/

Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53*. The CAMAS report** shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52***. The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here [1]. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there)..."
* https://www.virustotal.com/en-gb/fil...is/1406281395/

Fake Virgin Media SPAM - PDF malware
- http://myonlinesecurity.co.uk/help-a...e-pdf-malware/
25 July 2014 - "Help & Advice – Virgin Media Business Virgin Media Automated Billing Reminder pretending to come from Virginmedia Business <services@ virginmediabusiness .co.uk>is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer...
> https://t2.gstatic.com/images?q=tbn:...edia%20Web.jpgThis e-mail has been sent you by Virgin Media to inform you that we were
unable to process your most recent payment of bill. This might be due to
one of the following reasons:
A recent change in your personal information such as Name or address.
Your Credit or Debit card has expired.
Insufficient funds in your account.
Cancellation of Direct Debit agreement.
Your Card issuer did not authorize this transaction.
To avoid Service interruption you will need to update your billing profile, failure to update your profile may lead in service cancellation and termination.
Please fulfill attached form and send it back to our email adress...

25 July 2014: form_19927-267.zip (85 kb): Extracts to billing_form91_4352-2105.pdf.scr
Current Virus total detections: 5/53* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1406293502/
___

Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51*. The CAMAS report** shows that the malware downloads components..."
* https://www.virustotal.com/en-gb/fil...is/1406295906/

In this case the link in the email goes to verzaoficial .com/css/fax_390392029_072514.exe which downloads a file with a VirusTotal detection rate of just 1/45*. Automated analysis [pdf] is fairly inconclusive as to what it does."
* https://www.virustotal.com/en-gb/fil...is/1406297301/

Last edited by AplusWebMaster; 2014-07-25 at 17:08.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

... the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53*... malware phones home to walex2.ddob .us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US). Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs... I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too)...
Recommended blocklist:198.27.110.192/26
xiga .us
ddob .us "(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1406366678/

Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/...?site=AS:16276
"... over the past 90 days, 3231 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-26, and the last time suspicious content was found was on 2014-07-26... Over the past 90 days, we found 483 site(s) on this network... that appeared to function as intermediaries for the infection of 1070 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 930 site(s)... that infected 219349 other site(s)."
___

Fake Order Notification SPAM - PDF malware
- http://myonlinesecurity.co.uk/notifi...e-pdf-malware/
26 July 2014 - "Notification of order is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... using an old trick to attempt to disguise the file name & fool you into thinking it is a genuine PDF by inserting loads of spaces between the pdf & the .exe: Dear Customer
We have received your order and it’ll be processed for 2 business days.
Your credit card will be charged for 803 USD.
You can find specification of the invoice and delivery details: http ://link.vpn .by/?id=157562
Yours truly,
Absalon Holmes
FG Charter Travel Company

Todays Date: bill.2563034.zip (53 kb): Extracts to bill.2563034.PDF____________.exe
Current Virus total detections: 1/53* . This Notification of order is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is..."
* https://www.virustotal.com/en-gb/fil...is/1406396500/

In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting -ransomware- landing pages exclusively. The domains in use are a combination of crappy .in domains registered to a series of -fake- addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use afraid .org as namerservers. This hijacking at afraid .org is because these particular domain users are using the free afraid .org service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ*). The bad news is that this sort of -hijacking- is a quick way to ruin your domain's reputation... Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.
Recommended blocklist:88.198.252.168/29
fernandocoelho .net.br
duk66 .com
cerone .com.ar
gigliotti .com.ar
clawmap .com
lareferencedentaire .com
izaksuljkic .tk..."(Complete list @ the dynamoo URL above.)
* https://freedns.afraid.org/faq/#14

Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.com/safebrowsing/...?site=AS:24940
"... Of the 327849 site(s) we tested on this network over the past 90 days, 2634 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-07-28, and the last time suspicious content was found was on 2014-07-28... Over the past 90 days, we found 328 site(s) on this network... that appeared to function as intermediaries for the infection of 2189 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 377 site(s)... that infected 4506 other site(s)..."
___

28 July 2014: BN_2118176.zip (83 kb) : Extracts to report_form2_28-07-2014.pdf.scr
Current Virus total detections: 2/54* . This Delivery failure , July 28, 2014 BN_3647007 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1406549984/
___

Fake skipped invoice SPAM – word doc malware
- http://myonlinesecurity.co.uk/skippe...d-doc-malware/
28 July 2014 - "skipped invoice is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... HI Richie,
Attached is invoice #2223 651.45 from May missed in check received.
I am out of the office tomorrow and Monday so I’m emailing & begging for payment to make month end.
Thanks & have a great weekend!
Katherine Sargent / Credit Manager
Pacemaker Steel and Piping Co., Inc. ...

28 July 2014: invoice_28.07.zip ( 11kb) : Extracts to invoice_28.07.doc.exe
Current Virus total detections: 5/54* . This skipped invoice is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1406569801/

Something evil on 31.210.96.155, ...156, ...157 and ...158

FYI...

Something evil on 31.210.96.155, ...156, ...157 and ...158 (31.210.96.152/29)
- http://blog.dynamoo.com/2014/07/some...121096156.html
29 July 2014 - "I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using -hijacked- GoDaddy domains, and are targeting victim websites by altering their .htaccess files** to intercept traffic coming from search engines such as Google. These IP addresses have been used for malware for some time*...VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range... these appear to be subdomains of -hijacked- GoDaddy domains... I would recommend permablocking the following IP range and temporarily blocking the following domains:31.210.96.152/29 ..."(Long list at the dynamoo URL above.)
* http://c-apt-ure.blogspot.co.uk/2014...ars-later.html

Fake documents, Fake Amazon SPAM ...

FYI...

Fake 'documents ready for download' SPAM – PDF malware
- http://myonlinesecurity.co.uk/docume...e-pdf-malware/
30 July 2014 - "Your documents are ready for download is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:Your documents 6419165973846 are ready , please sign them and email them back.
Thank you
John Garret
Level III Account Management
817-768-8742 office
817-874-8795 cell
johngarret@ natwest .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law. We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive...

30 July 2014: Documents_3922929617733.rar (10 kb) : Extracts to Documents.scr
Current Virus total detections: 2/53* . This Your documents are ready for download is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1406710734/
___

There's a ZIP file attached (in this case Order-853-9908013-4362599.zip) which unzips to a folder Order details with a malicious file ORDER-992-5188991-000933.exe which has a VirusTotal detection rate of 9/53*. The Comodo CAMAS report** shows that it downloads a further component...
This second executable has a VT detection rate of 5/54***..."(Long recommended blocklist at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/fil...is/1406729013/

Fake Order status 30.07.2014.xls – XLS malware
- http://myonlinesecurity.co.uk/order-...e-xls-malware/
30 July 2014 - "Order status -540130 30.07.2014.xls is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... An email received coming from a -random- name with -no- company details and a totally blank body and a subject of Order status -540130 30.07.2014.xls ( different order numbers ) with a zip attachment
30 July 2014 : 540130-30.07.2014.zip ( 47 kb) : Extracts to order-8301138-30.07.2014.xls.exe
Current Virus total detections: 9/54* . This Order status -540130 30.07.2014.xls is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Excel spreadsheet file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1406736903/
___

Clicking OK downloads an executable from www.greenexpress .ge/swift//payslip.exe which you are presumably meant to run. It's a bit of an odd way to do it, so perhaps there's a reason. The HTML is simple enough..
> https://3.bp.blogspot.com/-TfUbI6lM0.../s1600/js2.png
..but why bother doing it this way at all? Well, it makes it just a bit harder for email security software to find the link because the attachment is Base 64 encoded... The malware itself has a VirusTotal detection rate of 31/53*... Automated analysis tools seem to time out or crash, which indicates that the malware is hardened against analysis, but the VT report does see traffic with a pattern that might be blockable if you have a webfilter..."
* https://www.virustotal.com/en-gb/fil...is/1406754444/

New Crypto-Ransomware in the wild
- http://blog.trendmicro.com/trendlabs...e-in-the-wild/
July 30, 2014 - "... new crypto-ransomware variants that use new methods of encryption and evasion... 'Cryptoblocker' will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”:
> http://blog.trendmicro.com/trendlabs...7/cryptob1.jpg
... This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that the advanced encryption standard (AES) is found in the malware code. A closer look also reveals that the compiler notes were still intact upon unpacking the code... Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.Countries affected by Cryptoblocker:
> http://blog.trendmicro.com/trendlabs...fection-01.jpg
... These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files..."

Last edited by AplusWebMaster; 2014-07-31 at 02:49.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Backoff... Malware

FYI...

Backoff... Malware
Backoff Point-of-Sale Malware
- https://www.us-cert.gov/ncas/alerts/TA14-212A
July 31, 2014 - "... malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMEIn Join.Me[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to -zero- percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could -not- identify the malware as -malicious- ..."Description: “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
- Scraping memory for track data
- Logging keystrokes
- Command & control (C2) communication
- Injecting -malicious- stub into explorer.exe
The malicious stub that is -injected- into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.Impact: The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.Solution: At the time this advisory is released, the variants of the “Backoff’ malware family are largely -undetected- by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up-to-date AV signatures and engines as new threats such as this are continually being added to your AV solution...(More detail at the us-cert URL above.)
___